ET MALWARE Gozi/BlackNet Checkin

SID: 2019378Rev: 170 viewsHistory

Sourceet/open

CreatedOctober 9, 2014

UpdatedMay 1, 2023

Classificationcommand-and-control

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/BlackNet Checkin"; flow:established,to_server; urilen:100<>325; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; content:!"?key="; content:!"?token="; content:!"/index.php"; content:!"act=bkw9"; nocase; content:!"?data="; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:!"DriverUpdate"; http.host; content:!"remocam.com"; content:!"desktopad.com"; content:!"mydlink.com"; content:!"gadingpos.com"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019378; rev:17; metadata:created_at 2014_10_09, performance_impact Significant, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_01, reviewed_at 2024_03_21;)

References

md5	cd2d9c7bd5de6d12718785f495ce1bb4 Google Search Brave Search
url	csis.dk/en/csis/news/4472/

Metadata

created at2014_10_09

performance impactSignificant

confidenceHigh

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2023_05_01

reviewed at2024_03_21

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!